diff options
| author | Kartik K. Agaram <vc@akkartik.com> | 2022-02-20 04:57:01 -0800 |
|---|---|---|
| committer | Kartik K. Agaram <vc@akkartik.com> | 2022-02-20 05:01:28 -0800 |
| commit | f8f1ec666afd0ec85fd6a7eff5f5b728412b4c98 (patch) | |
| tree | a3779dc40e5e8bccba9bb269864ce24dc0b69b2c /src | |
| parent | b36927e35cd26d17199d748d3ece20f760630926 (diff) | |
| download | teliva-f8f1ec666afd0ec85fd6a7eff5f5b728412b4c98.tar.gz | |
stop letting apps change directory
I introduced this ability when I packaged up the lfs directory, but it can enable apps to circumvent sandboxing rules in some situations. If you can socially engineer someone to allow reading a file called 'passwd' in the current directory, you can now change directory to /etc and read something sensitive. Protecting against stuff like this gets subtle. It's easy for people to create policies that aren't robust to changing directories. Requiring absolute paths is also pretty unfriendly. So the whole notion of current directory is perhaps implicit state that is confusing to manage. Fix it in the context of a single session.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lfs.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lfs.c b/src/lfs.c index 29c4f55..536bf99 100644 --- a/src/lfs.c +++ b/src/lfs.c @@ -1156,8 +1156,8 @@ static void set_info(lua_State * L) static const struct luaL_Reg fslib[] = { { "attributes", file_info }, - { "chdir", change_dir }, - { "currentdir", get_dir }, + /* no 'chdir' without sandboxing it */ + /* no 'currentdir' without sandboxing it */ { "dir", dir_iter_factory }, { "link", make_link }, { "lock", file_lock }, |